integrating oracle portal and microsoft active directory … · integrating oracle portal and...
TRANSCRIPT
Integrating Oracle Portal andIntegrating Oracle Portal andMicrosoft Active DirectoryMicrosoft Active DirectoryLarry Meets Bill
Presented By:Craig Warman - Computer Resource Team, Inc. (USA)
Paper Section: 1
Overview of What’s Ahead• Oracle Portal 10g utilizes Oracle Internet
Directory (OID) as its repository for user identity management
• Many organizations, however, have standardized with Microsoft Active Directory (AD) to manage user credentials
Paper Section: 1
Overview of What’s Ahead• This presentation describes how Oracle
Directory Integration and Provisioning can be utilized to enable synchronization between OID and AD, including:
• Establishment of Synchronization Profiles• When to modify mapping files• Synchronization startup and "bootstrapping"• Deployment of the Oracle-supplied Active
Directory External Authentication Plug-in• Windows Native Authentication for “zero
sign-on” capability (brief discussion)
Paper Section: 2
Three-Tier Deployment
Oracle AS10gInfrastructure& Application
ServerComponents
Client Tier ApplicationServer Tier Database TierApplicationServer Tier
Paper Section: 2
Three-Tier Deployment
App Server Installation(s)
Containing Oracle 9iAS Components
ApplicationServer Tier Database TierClient Tier
Infrastructure Providing
Centralized Services
Customer Database
Instance(s)
This collection of application server installations, infrastructures, and customer databases is called an Application Server Enterprise
Infrastructure Providing
Centralized Services
Paper Section: 2
• A type of 9iAS installation that provides centralized:
• Security and management services• Configuration information• Data repositories
• It must be installed into its own Oracle Home
• In many production installations it resides on its own physical server
The Infrastructure Server
Paper Section: 2
The Infrastructure Server
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-On
Enables users to access multiple accounts and
applications with a single username and password
Paper Section: 2
The Infrastructure Server
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-On
Single Sign-On stores and manages its information
using calls to OID
Paper Section: 2
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-On
The Infrastructure ServerUses browser-based
cookies to help manage user sessions
Applications that directly delegate authentication to the SSO server are known as Partner Applications:
• Oracle Portal• Forms• Reports• Discoverer
Paper Section: 2
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-On
The Infrastructure Server
A Lightweight Directory Access Protocol (LDAP)
compliant directory service
Provides centralized storage of information about:
• Users• Groups
• Applications• Resources
Paper Section: 2
The Infrastructure Server
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-OnProvides OID’s
Information Storage
Paper Section: 2
The Infrastructure Server
Oracle Internet
DirectoryMetadata
Repository
Oracle 9iAS Single
Sign-On ActiveDirectoryOracle Directory Integration Platform
Enables synchronization between OID and various third-party directories such asNetegrity, iPlanet, Microsoft Active
Directory, and others
• Enables synchronization between OID and other LDAP repositories
• Includes a connector specifically for one-way or two-way synchronization with Microsoft Active Directory
The Directory Integrationand Provisioning (DIP) Tool
Important Note:This connector cannot extract
passwords from the AD repository
So the Oracle-supplied Active Directory External Authentication Plug-in must be utilized in order to validate user-supplied passwords “behind the scenes” during a user
login sequence
Paper Section: 3
• Additionally, the account must have List Contentand Read Properties permission on the cn=Deleted Objects container so that it can synchronize user deletions back to OID.
• An Active Directory account capable of reading user and group profiles must be established for use by OID DIP during the synchronization process.
Active Directory AccountFor Synchronization
Paper Section: 4
This may be accomplished by granting the account Domain Administrativeprivileges, by making it a member of
the Domain Administrators group, or by granting it Replicate Directory Changes
permission
We’ll create and use an account called
[email protected] Welcome1 as the
password for this purpose
• Invoke the Oracle Directory Integration and Provisioning Server Administrator console
• On Windows: Accessed through the Windows Start menu, under Programs : Oracle Infrastructure (home) : Integrated Management Tools : Oracle Directory Integration and Provisioning Server Administration.
• On Unix: dipassistant -gui• Login using the orcladmin account. The Oracle
Directory Integration and Provisioning Server Administrator console window will appear.
Synchronization Profile CreationPaper Section: 5
Detailed information about this tool appears in Chapter 3 of the Oracle Identity
Management Integration Guide, which is available online at http://download-
east.oracle.com/docs/cd/B14099_04/manage.1012/b14085/diptools.htm
• Select Active Directory Configuration in the System Objects list on the left-hand side of the window.
• An Express Configuration form will appear on the right-hand side of the window.
• Here’s how to fill in the fields…• Click the Apply button once entries are complete. • A confirmation dialogue should then appear…
Synchronization Profile CreationPaper Section: 5
Note that any Connector Name may be supplied (the value New is shown
in this example) – the Import Profile Name and Export Profile Name values are then generated
based on that name.
• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.
• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.
Synchronization Profile CreationPaper Section: 5
• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.
• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.
• A tabbed window will appear for the currently-selected profile. The following changes should be made…
Synchronization Profile CreationPaper Section: 5
Be sure to change the Profile Status to ENABLE
The Scheduling Interval and Maximum Number of Retries
values may be adjusted to determine the synchronization
frequency and maximum number of retry errors before failure,
respectively
• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.
• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.
• A tabbed window will appear for the currently-selected profile. The following changes should be made…
Synchronization Profile CreationPaper Section: 5
The Active Directory account and password may be modified using the Connected Directory
Account and Connected Directory Account Password
• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.
• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.
• A tabbed window will appear for the currently-selected profile. The following changes should be made…
Synchronization Profile CreationPaper Section: 5
• Select Configuration Set 1 in the System Objectslist on the left-hand side of the window.
• Next, select the Import version of the newly-created profile on the right-hand side of the window, and click the Edit button.
• A tabbed window will appear for the currently-selected profile. The following changes should be made…
Synchronization Profile CreationPaper Section: 5
Check this field periodically to ensure that synchronizations
are succeeding
The Bootstrap Status will be set to BOOTSTRAP SUCCESSFUL
after completing the instructions in this presentation
Click the OK button to save any changes
• If the Active Directory structure used by the organization is non-standard or complex (such as one that spans multiple domains or employsan unusual group hierarchy) then the mappingmay need modification.
• The Domain Rules in the .map file define the mapping characteristics between AD and OID.
• Each rule defines one mapping.• A basic configuration will need only one rule - but
if the mapping is complex then multiple rules may defined.
Profile Mapping (optional)Paper Section: 6
Detailed information about mapping files can be obtained from Metalink note #261342.1,
available online at http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument
?p_database_id=NOT&p_id=261342.1
• The Oracle Directory Integration and Provisioning Server Administrator generates these files.
• They are located in the ldap\odi\conf directory of the current Oracle Home, and are named such that they match the profile to which they correspond…
Profile Mapping (optional)Paper Section: 6
• If the mapping files change then dipassistantmust be invoked from the command line, makingcertain to have first set the ORACLE_HOMEenvironmental variable:
dipassistant modifyprofile-port 13061-profile NewImport-D "cn=orcladmin" -w admin01odip.profile.mapfile=NewImport.map
Profile Mapping (optional)Paper Section: 6
Substitute as highlighted
• The following message should be displayed:Profile successfully modified.
• An initial migration of data from AD to OID (called a "bootstrap") is made by invoking dipassistant from the command line, makingcertain to have first set the ORACLE_HOMEenvironmental variable:
dipassistant bootstrap-port 13061-profile NewImport-D "cn=orcladmin"-w admin01
Bootstrap ExecutionPaper Section: 7
Substitute as highlighted
• Messages similar to the following should be displayed:
-----------------------------------------------Bootstrapping in progress.....Bootstrapping completed.#entries read ..................... 125#entries filtered ................. 0#entries ignored .................. 0#successfully processed entries ... 125#failures ......................... 0Please see the log file for more information.-----------------------------------------------Updating the profile's last change number ..... Done.
Bootstrap ExecutionPaper Section: 7
• Upon completion of the bootstrap process,return to the Oracle Directory Integration and Provisioning Server Administrator console and click the Refresh button.
• Select and Edit the current profile, then check the Status tab to see that the bootstrap success was recorded…
Bootstrap ExecutionPaper Section: 7
Refresh button
Check here for bootstrap success
Bootstrap ExecutionPaper Section: 7
• Invoke the Oracle Directory Manager console toexamine the migrated user and group entries
• On Windows: Accessed through the Windows Start menu, under Programs : Oracle Infrastructure (home) : Integrated Management Tools : Oracle Directory Manager.
• On Unix: oidadmin• Login using the orcladmin account.• Migrated user and group entries appear under
the Entry Management fork, typically starting withdc=com and working backwards throughthe domain name string…
• The directory integration and provisioning server is started by executing the following from the command line, making certain to have first set the ORACLE_HOME environmental variable:
oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=13061" start
Synchronization StartupPaper Section: 8
• The directory integration and provisioning server is started by executing the following from the command line, making certain to have first set the ORACLE_HOME environmental variable:
oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=13061" start
Synchronization StartupPaper Section: 8
Substitute the SQL*net connect string to the infrastructure's metadata repository
(Oracle database) here
• The directory integration and provisioning server is started by executing the following from the command line, making certain to have first set the ORACLE_HOME environmental variable:
oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=13061" start
Synchronization StartupPaper Section: 8
Note that these values may need substitution
depending on your particular configuration
• The directory integration and provisioning server is started by executing the following from the command line, making certain to have first set the ORACLE_HOME environmental variable:
oidctl connect=iasdb server=odisrv instance=2 configset=1 flags="port=13061" start
• This process will be maintained by the Oracle Process Monitor (OPMN) from this point forward, so it should not require manual startup/shutdown beyond this initial deployment.
Synchronization StartupPaper Section: 8
Refresh button
Check here for synchronization
success
• Profile configuration changes may be needed whenever a long period of time elapses after the last most recent successful synchronization.
• The Oracle Directory Integration and Provisioning Server Administrator console generates the configuration file.
• This file is located in the ldap\odi\conf directory of the current Oracle Home, and named such that it matches the profile to which it corresponds…
Profile Configuration Changes (optional)Paper Section: 9
Detailed information about how and when to modify this file can be obtained from Metalink
note #312691.1, available online at http://metalink.oracle.com/
metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=261342.1
• If the configuration file changes then dipassistant must be invoked from the command line, making certain to have first set the ORACLE_HOME environmental variable:
dipassistant modifyprofile-port 13061-profile NewImport-D "cn=orcladmin" -w admin01odip.profile.configfile=NewImport.cfg
Profile Configuration Changes (optional)Paper Section: 9
Substitute as highlighted
• The following message should be displayed:Profile successfully modified.
• This plug-in validates user-supplied passwords with AD "behind the scenes" during a user login sequence.
• Important: These steps involve execution of Unix shell scripts. When installation takes place on a Windows platform, it will be necessary to obtain an emulation utility such as Cygwin.
Active Directory External Authentication Plug-In
Paper Section: 10
• Execute the oidspadi.sh script from within the Unix emulation utility, making certain to have first set the ORACLE_HOME environmental variable…
Detailed information about this process appears in Chapter 16 of the Oracle Identity
Management Integration Guide, which is available online at http://download-
east.oracle.com/docs/cd/B14099_04/manage.1012/b14085/odip_actdir.htm#CHDIEJEF
• This plug-in validates user-supplied passwords with AD "behind the scenes" during a user login sequence.
• Important: These steps involve execution of Unix shell scripts. When installation takes place on a Windows platform, it will be necessary to obtain an emulation utility such as Cygwin.
Active Directory External Authentication Plug-In
Paper Section: 10
export ORACLE_HOME="d:\oracle\infsrv"
cd $ORACLE_HOME/ldap/adminsh oidspadi.sh------------------------------------------OID Active Directory Plug-in Configuration------------------------------------------
Please make sure Database and OID are up and running.
Please enter Active Directory host name: shuttle.crtinc.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Substitute as highlighted
Please enter DB connect string: iasdbPlease enter ODS password: admin01Please enter confirmed ODS password: admin01
Please enter orcladmin password: admin01Please enter confirmed orcladmin password: admin01
Please enter the subscriber common user search base: cn=Users,dc=crtinc,dc=com
Please enter the Plug-in Request Group DN:Please enter the exception entry property[(!(objectclass=orcladuser))]:
Do you want to setup the backup Active Directory for failover? (y/n) n
This tells the connector to avoid authenticating users
defined by Oracle (eg. if they didn’t get migrated from
Active Directory then don’t try to authenticate them
there). Without this it won’t be possible for users such as portal or orcladmin to log in!
Procedure created.No errors.Procedure created.No errors.No errors.No errors.
Registering Plug-ins ...adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
------------------------------------------------------Done.
------------------------------------------------------
• Upon completion of the plug-in deployment process, return to the Oracle Directory Managerconsole and navigate to the click the Plug-In Management fork.
• Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind…
Active Directory External Authentication Plug-In
Paper Section: 10
Be sure the Plug-In Enableproperty is set
here…
…and here.
• At this point:• OID has been populated with an initial set of users
and groups via bootstrap migration from Active directory
• The Oracle Directory Integration and Provisioning tool has been configured such that it will use the Active Directory Connector to keep this information synchronized.
• The Oracle Directory Server has been directed to authenticate users migrated from Active Directory using the Oracle-supplied Active Directory External Authentication Plug-in.
TestingPaper Section: 11
• It should now be possible to log in to Oracle Portal using one of the migrated Active Directory users.
• Do this by entering the following URL into a browser:
http://{machine name}:{port}/pls/portal
TestingPaper Section: 11
• It should now be possible to log in to Oracle Portal using one of the migrated Active Directory users.
• Do this by entering the following URL into a browser:
http://{machine name}:{port}/pls/portal
TestingPaper Section: 11
• Log in with one of the migrated Active Directory user accounts, using its current AD password.
• Note that the username should be of the form:name@ad_domain.com
Substitute as highlighted
• This feature allows users to authenticate with their desktop credentials when using Internet Explorer (only)
• Passes a Kerberos session ticket through the browser to the Oracle SSO server as a background operation.
• The login process is automatic - thus sometimes called "Zero Authentication"
Windows Native Authentication (WNA)Paper Section: 12
• The Active Directory / OID synchronization and External Authentication configuration steps outlined in this presentation satisfy the prerequisites for setting up WNA.
Step-by-step setup instructions are provided in the Windows Native Authentication OBE
document, which is available online at http://www.oracle.com/technology/obe/
obe_as_10g/im/wna/wna.htm
Paper Section: 12
Summary• This presentation described how Oracle
Directory Integration and Provisioning can be utilized to enable synchronization between OID and AD, including:
• Establishment of Synchronization Profiles• When to modify mapping files• Synchronization startup and "bootstrapping"• Deployment of the Oracle-supplied Active
Directory External Authentication Plug-in• Windows Native Authentication for “zero
sign-on” capability (brief discussion)
Integrating Oracle Portal andIntegrating Oracle Portal andMicrosoft Active DirectoryMicrosoft Active Directory
Presented By:Craig Warman - Computer Resource Team, Inc. (USA)